Privacy Preserving Technology

From paper to refrigerator

KP Chow

Center for Information Security and Cryptography

University of Hong Kong

Apr 2017

Edward

Snowden

• When Snowden in Hong Kong met the

journalists, he made them put their mobile

phones in a refrigerator, why?

CISC

2

To block all signals to and from the phones,

to stop someone remotely turn the phones

into listening devices

CISC

3

Surveillance

The careful watching

of a person or place (Cambridge dictionary)

Privacy Preserving

• Avoid surveillance

• Block surveillance

• Distort surveillance

• Break surveillance

CISC

4

Avoid Surveillance

• Many surveillance techniques

appeared automatically based on

what you have and your behavior

– Alter your behavior to avoid

surveillance

CISC

5

• Some surveillance activated

automatically based on your behavior

– Avoid activating automatic surveillance

system by deliberating not tripping their

algorithms

Alter your behavior

– Pay in cash instead of using credit card

– Don’t tag photos of your family members

or friends

– Stop using Google calendar, webmails,

iCloud backup

– Leave your mobile phone at home

– Change your driving route to avoid traffic

cameras

– Loan a PC instead of using your own PC

in some countries

CISC

6

Avoid activating – Keep your cash transactions under the

threshold over which banks must report

the transaction to HKMA

– Do not discuss certain topics in email

– Write messages on paper then send

photos of messages using WhatsApps

– Using steganography

CISC

7

Will not work with

targeted surveillance

CISC

8

Consistent Behavior

Avoid change behavior when doing

some things you consider secret,

should have behavior consistent

CISC

9

Application of Big Data

Mass surveillance data

analysis

CISC

10

Can we block surveillance?

The agencies can defeat anything you do

if you are targeted, while mass

surveillance relies on easy access to data.

It is not possible to target

everyone now.

Privacy Enhancing

Technologies (PET)

• Help you block mass surveillance, e.g.

– Browser plug-ins that block sites that

track your web serving behavior

CISC

11

Does encryption solve all

problems?

• Do you encrypt your hard drives?

Using BitLocker or TrueCrypt?

• Are you using chat messenger with

encryption?

• Is your Cloud services support

encryption?

• Do you encrypt your email? e.g. PGP

• Are you using “https”? CISC

12

Some problems with

Encryption

• Many encryption tools are

difficult to use

– Have you ever use PGP

email encryption?

• Many of them are not

transparent to users

CISC

13

Some limitations of

encryption • Connection to Gmail is “https” and emails

stored in the server is encrypted

– Who has the key?

• Metadata cannot be encrypted, e.g.

– Sender and receiver of emails

– Mobile phone can encrypt your voice

communications, your dialed phone no. is not

encrypted

CISC

14 Commonly used technique:

traffics analysis

Misconception of encryption

• Encryption doesn’t protect your

computer while in use

– When the encrypted data is in use in a

PC, it exists in plain form

– If your PC is in hibernation mode, …

– If your PC is hacked, …

– If you have the encryption key stored in

the PC, …

– If …

CISC

15

CISC

16

Protect your

communication

From high-tech to low-tech

The Onion Router (TOR)

• Protect your anonymity when

browsing the web

– against web sites tracking

– against traffic analysis

• Easy to use with TORbrowser

CISC

17

Something simple

• Turn location service off on your mobile phone

when you don’t need it

• Try to understand which apps access your

data

• Not posting identifying details on public sites,

e.g. your registration information with this

seminar

CISC

18

Low Tech Approach

• Put a sticker over the PC’s camera

• Leave the return address off an envelop

• Say no when asked to provide personal

information

• Stop subscribing to those “loyalty” programs

offered by the shop

CISC

19

Of course, you can

always wear a mask

CISC

20

Today’s topic

Big Data

Data mining and

data analysis

Data Mining

• Everyone will mine your behavior,

e.g. e-commerce shop

• Can you do anything?

CISC

21

Distort surveillance

or “obfuscation”

Distort Surveillance

Some simple tasks

• Delete cookies when you close the

browser, and e-commerce sites will

be difficult to track you

• Using your friends “loyalty” program

numbers when you go shopping

• Wear improper shoe to fool the “gait”

recognition systems

CISC

22

CISC

23

Data Mining using

“Big Data”

Distortion relies on

“Big Number”

Big Number

• Everyone using postcards by default,

the few who used envelopes would be

suspect

– Everyone using envelops, those who really

need the privacy of envelope don’t stand

out

• Everyone using TOR, those who really

need TOR will not stand out!

CISC

24

What is data analysis?

• A signal-to-noise problem

• Remove noise from data to find the signal

• Add “random” noise makes the analysis

harder

CISC

25

Good data analysts are

smart

What is “random” noise?

• No answer is not “random noise”

• When asked for your address and

phone number, you can

– Give your real address and phone no.

– Don’t give anything

– Give someone else address and phone

no., e.g. 12/F, 248 Queen’s Road East

CISC

26

Deceiving??

• Some agencies use the mobile

phones to track the targets

• The target can use the mobile phone

to deceive, e.g. leave it at home

CISC

27

CISC

28

Can you break surveillance?

Depends on how skillful

you are.

May not be legal.

Hacking – illegal

• Disable Internet surveillance system,

if you know they exist

• Delete or poison surveillance

database

CISC

29

Any legal approaches?

• Enter random information in web

forms

• Search for random things on Google

to avoid being profiled

CISC

30

CISC

31

There is no free lunch

Balance between what you

need to give out vs. what they

offer you

Conclusion 结论

大数据

Big Data

CISC

32

You should protect your own …

• 互联网 + Internet +

谢谢 Thank You